Looking for links: passenger & selinux

[David Quigley]

On 03/14/2013 15:49, m.roth at 5-cent.us wrote:
> Miroslav wrote:
>> m.roth at 5-cent.us wrote:
>>>> Gag. I hate passenger...
>>>
>>>> This is CentOS 6.3
>>>
>>>> Does someone have a link to info on what selinux passenger context 
>>>> to set
>>>> what files to?  I see passenger set to lib_t, which I may have 
>>>> done a
>>>> while back, but the current policy may be more picky. I've looked 
>>>> at the
>>>> passenger_selinux manpage, and it doesn't suggest what they should 
>>>> be.
> The
>>>> version of ruby my users are on is the old 1.8.7 enterprise, *not*
>>>> installed from an rpm, so nothing's correct....
>>>
>>> Following myself up, a clarification: I've seen pages that say to 
>>> set all
>>> of passenger to httpd_sys_content_t; however, since there's 
>>> explicitly a
>>> passenger_*_t, and I *assume* that it allows it to transition to 
>>> run
>>> things like ps, and status, I'd like to set them *correctly*, 
>>> rather than
>>> as httpd*, and then allow all sorts of things for httpd to do as 
>>> policy.
>
>> We have passenger fixes in RHEL6.4. Basically you will need to 
>> follow
>> 
>> http://git.fedorahosted.org/cgit/selinux-policy.git/tree/passenger.fc?h=f18-contrib
> labeling.
>
> Thanks, Miroslav. Here's what (once I thought of it) seems like an 
> obvious
> question: is there a way, in selinux, to say "I installed this stuff 
> over
> here, not in the usual place (say, from a tarball instead of an rpm), 
> but
> I want to label everything correctly, something like
> <selinuxrelabel> passenger-policy /opt/ruby/gem/etc?
>
>      mark
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

The semanage fcontext -e option is exactly what you want. I think the 
exact command would be semanage fcontext -a -e <original location> 
<target location>.

That will say treat target on down the same way you treat the original 
location down.

Dave